Windows Enterprise Desktop

Nir Sofer of Nirsoft has written lots of great utilities, several of which I use pretty regularly. Recently while looking for information to compare UFD speeds (UFD stands for USB Flash Drive, for those not already hip to this abbreviation) I was guided to a page that Sofer set up to report on the results of a somewhat recent addition to the excellent USBDeview program that you can download for free from his site. If you go looking for it yourself on the linked page, be patient: you need to scroll all the way down to the “Publishing Your Speed Test Result” heading to get to the link at http://usbspeed.nirsoft.net. Here’s a UI view of the program from my desktop:

Basic info about all USB devices known to device manager whether present or absent

The cool thing about this utility is that it has all kinds of snazzy, user-callable command line capabilities as well as the basic GUI you see here. This is cool because it lets people use the tool to perform various kinds of tests and measurements including a basic UFD speed test that reads and writes a large (1 MB) file to and from the device to provide a rough’n’ready metric for its read and write speed. Sofer has also posted results for hundreds of such drives on his site and you can use this info to compare devices to each other (actual speeds will vary depending on the speed of the USB interfaces into which devices get plugged and the chipsets and controllers that manage them — but this is useful, because as long as those elements remain the same, users should get the same relative speeds from devices they look at in Sofer’s list, though their actual performance will vary).

Everybody’s heard about the Stuxnet virus by now, built specifically to attack Siemens’ SCADA systems through one of its most popular programmable logic controllers (PLCs). At the most recent Virus Bulletin conference in Vancouver, BC, in late September 2010, researchers from Symantec reported their findings about this fascinating and complex threat. These findings included their determination that Stuxnet includes “…the world’s first-ever tookit designed for…” PLCs (SC Magazine, October 8, 2010) and that the complexity of the malware involved “…would have been written using 5-10 core developers over six months and tested on systems mirroring the process control hardware” according to statements attributed to Symantec researcher Liam O Murchu at that conference (ibid). In fact, for the attack to work, the Stuxnet developers “…would have needed to teal digital certificates used to sign driver files used in target systems” (ibid).

Clearly, this is not the work of a single alienated cracker with too much time on his or her hands (O Murchu puts his assessment in pithier language: “This is not a teenage hacker coding in his bedroom-type operation”). Because the attack apparently affected much of Iran’s nuclear development infrastructure, in fact, many people inside and outside that country see government funding (if not an outright government-led “black op”) behind the Stuxnet virus. Israel and the US lead the list of likely culprits, though proving such involvement is also nearly impossible.

But where things get interesting is in the byplay that follows disclosure of such technical analysis and information. The n3td3v IT Security Consultancy in the UK, which is the brainchild of a well-known and eccentric self-professed security “expert” named Andrew Wallace, posted this response to the aforecited SC Magazine article:

“Motivation behind Stuxnet.” BP lobbied for the release of the Lockerbie bomber, and the people responsible for Stuxnet wanted to make sure they paid. To make sure the oil deal from releasing the bomber, BP couldn’t make a profit from. Stuxnet targeted the oil well. There were a lot of unhappy people after the release of Abdelbaset Ali al-Megrahi. Abdelbaset Ali al-Megrahi was convicted for blowing up Pan Am Flight 103 over Lockerbie, Scotland, on December, 21, 1988. He was freed on compassionate grounds by the Scottish government on August, 20, 2009. The claim was he had terminal prostate cancer and was expected to have less than three months to live. It was a lie and he is still alive living the life of riley in Libya.

In fact, nt3td3v is pretty well-known in the security community because his identity serves as the focus of BlackHat study from 2006 entitled Who is “n3td3v”? Andrew Wallace has even had his psychological profile “done” on the full disclosure list upon which he made something of a pest of himself in that time frame. But as interesting technical events unfold on the information security stage, there’s apparently always a temptation to exploit the notoriety and the publicity that surrounds spectacularly successful (or mysterious) exploits like this one. Who’s to say if this kind of epiphenomenon doesn’t make the whole situation still more compelling than it already is?

The story begins with a nod to a 2009 Gartner study that estimated the costs of migrating from Windows 2000 or XP to Vista or 7 at “three to four times the cost of upgrading from Windows Vista to Windows 7 because of application remediation and replacement cost.” Numbers cited vary from $1,035 to $1,930 for the big jump versus from $339 to $510 per user for the smaller jump.

App-DNA’s product, AppTitude, helps to automate compatibility testing for the thousands of applications in use in a typical enterprise that might be contemplating a major OS upgrade, platform migration, or virtualization effort. Big names who’ve used this technology to good effect include BAE Systems, British Telecom (BT), Exxon Mobil, and Barclays.

Numerous big customers (names withheld) have experienced cost reductions when using AppTitude to focus and guide migration efforts from 50 – 75% of original estimated costs. Other outfits cite ongoing annual savings of $3M per year thanks to AppTitude.

The “DNA” terminology comes from detailed analysis of common software components in applications, to build a database that captures somewhere around 80,000 data points around individual applications. This permits incredibly detailed profiling, and equally accurate assessments of potential compatibility issues.

As I said in the lead-in ‘graph, see the original story for more details and info, or visit the App-DNA Resources page for Windows 7 application migration checklists, workbooks, case studies, plus eBooks and white papers.

I’ve long been a fan of the Secunia vulnerability scanning and patching alert tools, known as the Personal Software Inspector (PSI) in its free for individual, at-home use version, and the Corporate Software Inspector (CSI) in its for-a-fee version for workplace use. A beta version of the next generation of PSI has been out for at least a couple of months now, but I finally got around to installing and working with this tool, and I very much liked what I saw (warning: on one of my 64-bit test machines, I had to explicitly use the right-click “Run as administrator” option to get the program to install properly; be prepared should this happen to you, or should you encounter difficulties the second time you run the program).

Here’s a snap-by-snap recitation of the install and first run processes for this nice piece of software, available for download as the PSI 2.0 BETA:

The installer is smart enough to catch and replace the prior PSI version

Next the installer begins the actual PSI 2.0 installation

But first the old 1.5.x PSI version must be rooted out

The obligatory EULA screen requires your assent

The best new feature in PSI 2.0 is auto-update so it gets turned on by default

When non-admin users run PSI this lets them see what it is doing

An interesting technique to flag the readme file for user attention

The default install location is usually fine

Installation goes pretty quickly (less than a minute)

Next comes a request to run the program for a first time

A status box shows the connectivity check and rules download

The initial screen shows a reworked dashboard

The revised scan window uses the same dashboard layout

Overall, the new layout is cleaner and the software is more user-friendly

In terms of overall functionality — except for the program’s new auto-update facility, which allows it to handle downloading and installing updates without requiring user interaction — there isn’t much else new about the 2.0 beta version of PSI. What is new, however, is a complete reworking of the user interface that is much cleaner and easier to follow and that does away with the former versions’s Simple and Advanced UI modes, probably because the redesign makes that distinction moot. Check out the program and see what you think: I’m looking forward to the commercial release myself!

If you work with solid state disks, you’re probably already familiar with the various tools that your drive vendors provide for their units. Mostly, these are tools for checking and upgrading firmware, but occasionally, you’ll also come across a great tool like the Intel SSD Toolbox as well (note: a new version of this tool — v.2.0.1.000 — was released on October 19, 2010, so if you haven’t grabbed it yet follow the link and do that right now).

But there is at least one vendor-neutral tool that’s also worth adding to your system admin/troubleshooting toolbox if you work with SSDs — namely, Crystal Dew World’s (how the Japanese come up with these weird and wonderful Website names continues to amaze and delight me) CrystalDiskInfo utility can help with several key items of information:

Firmware revision: This tells you the version number for the SSD firmware installed on the drive you’re inspecting. This can be a key element in obtaining the best possible performance from an SSD, and is information worth knowing

Supported Features: This tells you what advanced features are turned on for the drive you’re inspecting. The TRIM feature is probably the most important item to look for. TRIM provides erasure optimization for SSDs, and allows blocks of data to be flagged for erasure and re-use, and permits garbage collection to be deferred until a convenient time, while also permitting the drive to manage its free space internally and to make sure it can generally provide blank pages for writing to satisfy pending write requests — SSDs can write to occupied pages, but they must erase those pages before writing can occur, which slows writes down. Likewise SSDs write data at the block level, not the page level, so writing requires special handling especially when used in tandem with write-leveling algorithms used on SSDs to keep “wear” even across the entire disk.

Other features you’re likely to see turned on for PC SSDs include: SMART (Self-Monitoring, Analysis, and Reporting Technology, a monitoring system common on most hard disks and modern storage devices, including SSDs), 48bit LBA (48-bit logical block addressing introduced to support a liner addressing scheme on hard disks introduced with ATA-6 in 2003), and NCQ (native command queueing, a technology for improving SATA hard disk performance by enabling the disk firmware to opimtize the order in which it satisfied read requests).

Other features you won’t find on SSDs, but will find for conventional hard disks are APM (Advanced Power Management, used to turn down power consumption on conventional spinning drives when they’re idle, but unnecessary on SSDs) and AAM (automated acoustic management, used to keep the noise that spinning drives can emanate to a minimum, also unnecessary on SSDs, which have no moving parts). You also won’t see temperature reported for SSDs, though such information is customary on SMART hard disks.

CrystalDiskInfo shows all of these things, and more, as you can see here:

Output for an Intel 80GB X25-M SSD

A bit more data is presented for conventional (spinning) hard disks, like this Samsung 1GB SpinPoint drive, including temperature information, and lots of sector handling stats:

There is more to report on spinning drives

Best of all, this tool is freeware, and thus can’t strain your tools budget even one little bit. Check it out: you’re bound to like it. The same site also offers other free tools as well, and will reward the download and playtime required to learn them.

I’m currently in the throes of building a new primary production PC, and getting ready to migrate from my current production machine to its immanent successor. As I’ve gone through the latest build process I’m astounded by how much computing power you can buy for the bucks these days, and how much easier it’s getting to put complex systems together. Knocking on wood, I’m also happy to report that my new box ran the first time I powered it up and I was able to go straight from the initial power-on test to the OS install phase. This isn’t exactly a first for me, but it’s rare enough that I’m pretty happy about that aspect of the experience.

I did go through some “interesting behavior” during Windows7 installation, though: for some reason, I couldn’t load the OS from my install DVD when I loaded it into the brand-new LG WH10LS30 Blu-ray burner. And it wouldn’t install from my handy-dandy external USB-based DVD burner either (essential for somebody like me who sometimes works on ultraportable notebook and netbook PCs): the installer informed me that a driver was missing without providing me too much guidance to figure which one was AWOL, or where to go find the right one. So I created a new Windows 7 bootable UFD by using the Win7Professional x64 .iso from MSDN along with the Windows 7 USB DVD Download Tool and handled the install that way instead.

With a brand-new virgin machine at my disposal and some prior experience with SSDs under my belt, I knew to configure the system to run AHCI in the BIOS before the install, which led to a successful and simple first installation onto the 120GB OCZ Vertex2 drive I chose for the system/boot drive on that machine. The mobo is an Asus P6X58D-E with an Intel i7-930 CPU, a GTX460 graphics card, 12 GB of G.Skill DDR3-1600 RAM (3x4GB DIMMs), which also gives me SATA 3 (6.0 Gbps) and USB 3.0 interfaces to play with as well. I chose the Corsair H70 CPU cooler for the unit’s LGA1366 CPU, and its liquid cooling has proved pretty capable: the machine normally runs at temps from 36 – 42 °C, while it seldom exceeds 70 °C under heavy loads or stress testing (I’ve overclocked the CPU from its nominal 2.8 GHz speed to 3.8 GHz, and have also boosted the clock and memory rates on the GTX460 graphics card as well thanks to the killer MSI Afterburner utility).

I also hit an interesting gotcha while bringing the system’s firmware and drivers up to date, as I ran the OCZ 1.24 Firmware update utility, just released yesterday (11/18/2010). As recommended I did make an image backup of the drive before tackling this task, so when my machine blue-screened during the firmware update, I didn’t break too much of a sweat. I did find myself wondering if munged firmware would require me to return the drive to OCZ for a replacement, but when I saw the drive still correctly identified in the BIOS after a reboot, I breathed a sigh of relief. All I had to do was remove the SSD from its home machine, mount it on another Windows box, and run the firmware update utility on a system where the drive being updated was not the system drive, and everything worked flawlessly. To my delight, upon re-inserting the drive into its home system, and tweaking the BIOS to restore it to its proper boot position during start-up, the contents of the drive were completely unaffected. I’d more than halfway expected to have to reformat the SSD and then use my install UFD to reload the image from that system’s backup drive.

Over the next week to ten days I’ll be finishing up the new machine install and configuration, after which I’ll use a new copy of LapLink PC Mover to migrate my production environment from my current/old production machine to this brand-spanking new one. Count on me to report further on learning and experience as I go through those motions. I’m also going to have to find a local machine shop to make a clean cut-out in the side panel of the Antec 902 case in which I made this build: in attaching the H70 cooler to the unit’s 120mm rear exhaust fan mount points, the cooler projects about 3/8″ outside the normal limits of the enclosure. I’ll post pictures once I get this all straightened out. Please let me know if you’d like me to post complete hardware specs for this unit, too: I paid around $1,800 for its components, but I think you can buy all those parts brand-new right now for more like $1,600.

Windows maven Paul Thurrott suggests an interesting technology fix in a recent SuperSite blog entitled “Solving IE 6 Compatibility Issues Doesn’t Require Expense, Complexity of Virtualization.” In a nutshell, his prescription is a software solution called Browsium Unibrows that enables IE 6 access only to those pages or Websites that specifically need it, often on an organization’s own intranet. It’s set up to run as an IE 8 (or 9) child process that hides all the underlying complexity from its users and involves a minimal (under 100 MB) memory footprint. It enables users to acces sites with older, incompatible software versions of Flash, Java, and so forth on a per-page basis, and works with Group Policy rules to do its thing. Microsoft does require that IE 6 support elements be downloaded separately during installation, with relevant licenses for XP to match, so legal entaglements are avoided.

The program is in beta right now, but is expected to go commercial sometime soon. The software may be licensed for a mere $5 per seat per year. As Thurrott observes this is a good deal for a temporary solution to compatibility problems before April 8, 2014, when everything will have to migrate anyway as XP support vanishes completely. Sounds interesting…maybe you should check it out!

We’ve been living in a brave new world of Web-based apps for nearly a decade now, and some of the smelly old birds that took off in the early days are coming home to roost. What do I mean? Well, check out this recent story by Mary Jo Foley entitled “Gartner: Existing options for migrating from IE 6 are too pricey, risky” to see what I’m talking about. Her basic point is that Gartner’s research tells them that many organizations are still supporting or continue to standardize on IE 6 because they don’t want to budge from a substantial installed base of IE 6 based applications, many of which are line-of-business or downright mission critical.

Sure, it’s easy to build programs to interact with users via a Web browser, but the more customized (and browser-dependent) that code becomes, the harder it also becomes to move the code base forward as newer browser versions replace older ones. I can’t help but believe this is exactly what makes products like the InstallFree 7Bridge (which I blogged about last week) so appealing to so many enterprise customers because it enables them to move their computing platforms forward to Windows 7, while allowing them to access their IE 6 dependent services within a workable wrapper that looks and acts like IE 6 on XP inside the envelope, but that drops into the Windows 7 runtime environment with nary a ripple or problem.

What’s wrong with this approach, you ask? Here’s what Mary Jo says with chilling effect:

Companies including InstallFree, VMware, Symantec and Spoon.Net are offering tools specifically for virtualizing older versions of IE for use on Windows 7, Gartner said. “They embed certain OS components with the IE ‘bubbles’ to allow IE6 or IE7 to run and provide compatibility. But this kind of virtualization may run afoul of Microsoft licensing,” Gartner is warning its clients.

Furthermore, she quotes as follows from Gartner’s advice to enterprise customers regarding requests for “indemnification clauses” they should make:

Request Microsoft to grant specific contractual amendments to allow you to virtualize IE6 as a Windows 7 compatibility solution without fear of reprisal (but consider that Microsoft could still pursue your application virtualization vendor with legal action). Organizations in need of IE6 compatibility solutions that don’t have sufficient licenses to use Terminal Services and want to comply with Microsoft’s recommendation to avoid IE6 application virtualization should petition Microsoft for use of Windows 2003 Server software and associated Remote Desktop Services (RDS) client access licenses (CALs) for the sole use of accessing IE6 at no charge through 8 April 2014.

Microsoft has yet to comment on the potential for legal issues that might arise from third parties (such as InstallFree, VMWare, Symantec, and even Spoon.net) bundling older operating sytems components and capabilities along with older code to create usable, Windows-7-friendly runtime environments. But gosh, unless everybody’s planning on getting off the IE 6 bus by the time all XP support ends forever on April 8, 2014, this could be a huge potential liability for such organizations to swallow. Should be really interesting to see how this one turns out.

I’ve got an older, but still pretty powerful HP notebook I use for testing and watching the occasional video. It’s a HDX9203KW, aka “The Dragon” because of its snazzy exterior design. With 8 GB of RAM and 1.5 TB of disk space, it’s pretty powerful as notebooks go, and it runs Windows 7 like a top — most of the time. Thing is, HP never released a full complement of Windows 7 drivers for this notebook (it’s fully covered for Vista, but these units were so big and expensive, HP discontinued the model after only two years of production, and they apparently didn’t see fit to lead their buyers into the brave new world of Windows 7).

Thanks to the folks at the Notebook Review “HP HDX Dragon Owner’s Lounge” plus a little help and expert steering from my friend John RV Jones (a fellow Dragon owner who worked his way through the upgrade a couple of months before I had time to tackle it myself, and consequently saved me oodles of time running around and running down drivers and potential issues. There’s also a peachy Windows 7 Installer’s Guide, too.), I have been able to get Windows 7 up and running on this machine. In fact, I’ve got all the hardware working properly, but it doesn’t work with all the most current drivers for the various devices installed on the machine (I’m guessing it probably gets down to BIOS support issues and HP simply hasn’t updated the BIOS to incorporate elements specific to Windows 7 because it doesn’t support that OS for this machine).

Thus, DriverAgent reports four drivers are “behind the times” on this machine, including:

The HP Bluetooth module

My Authentec AES2501A fingerprint scanner

The SigmaTel High Definition Audio codec

The integrated HP WebCam

Sure, I can install those newer drivers (and I’ve tried, believe me). But when I do, the related devices quit working. That’s why I keep an eye on the aforementioned owners lounge to see if anybody’s hacked any new drivers lately, but otherwise keep those items where they currently stand, so as to keep the device working properly.

Interestingly, I’ve also got an Asus Eee PC 1000HE which that company released before Windows 7 went commercial. Nevertheless, they’ve got a complete set of Windows 7 drivers and have even published a guide on how to upgrade the unit from its original Windows XP Home to any of several Windows 7 versions (I run Windows 7 Professional on my notebooks so I can use Remote Desktop Connection to access them from my primary desktop machine, but I’ve also successfully installed Windows 7 Starter and Windows 7 Home Premium on this notebook as well). Two very different attitudes and levels of support from two very different PC makers where, perhaps not surprisingly the up-and-coming upstart company (Asus) is a lot more helpful and supportive than the long-time market leader (HP). Go figure!

Late last week, I had the pleasure of speaking to Alon Yaffe, the Director of Marketing at InstallFree.com, the maker of a snazzy tool for application virtualization. In particular we talked about InstallFree 7bridge, an application compatibility solution that addresses the kinds of problems that can pop up when legacy or homegrown applications don’t run properly (or at all) in Windows 7. InstallFree 7bridge is particularly good at dealing with the kinds of issues that changing Windows compatibility settings in Windows 7 doesn’t fix, or when there are out-and-out conflicts, mismatches, or missing bits and pieces that prevent apps built for older Windows vesions from running in a native Windows 7 environment.

7bridge closes the gap between Windows 7 and other key software components

Rather than launching an entire virtual machine (VM) to encompass and support a customized runtime environment that supports necessary functionality, InstallFree 7bridge runs in user mode, and creates a bridge between the application runtime and a virtual and physical interface into the Windows 7 host environment. Special filter drivers and what Yaffe jokingly called “special voodoo” come into play in the virtualization environment that handle COM, DCOM, the registry and various object requests that the application (or applications) need to work properly. The application launches in an environment called the PowerGuest Sandbox where it is equipped with all the parts and pieces it needs on the fly, including application dependency items, the application itself, application updates, and application add-ons or expansions. Everything binds together inside the sandbox so the user sees normal application behavior, and a special user data layer introduces statefulness and personalization to this otherwise generic but custom-crafted runtime environment. InstallFree 7bridge even handles GPOs including user rights, access rights, security controls, and so forth as if the app were running its native host Windows environment.

The key to the voodoo part, apparently, is that InstallFree has a special tool it uses to bundle all the necessary runtime elements (except the user data part, which gets bound in at launch time) into a purpose-built runtime file that can be accessed via a fileshare across a network. Organizations and companies that need application specific runtime instances can get them built for $4K at InstallFree, then pay $25 a seat to push the custom runtime to as many simultaneous users as they care to pay for. The package and encapsulation toolset used to build the custom runtimes is also available (for $10K) and per-seat charges for packages customers build themselves go up to $50 (but the number of packages is unlimited and presumably customers won’t want to take that route unless the economics of buying on a per-package basis are more expensive than the general purpose solution with packaging/encapsulation and as many custom packages as are needed).

This technology is incredibly slick, and offers a low overhead way to deliver completely seamless application compatbility. In fact, inside the app, even built-in Windows interfaces reflect whatever version of Windows is used to generate the custom runtime package, so users absolutely maintain the original computing experience. This one’s worth checking out, and digging into, and offers the kind of compatibility (running multiple versions of JRE, IE 6, or older Office versions are no problem at all). Check it out at the InstallFree 7bridge product page.

About This Blog

The Windows Enterprise Desktop blog features topics of interest to IT professionals who work with Windows on large networks. Topics are Windows OS setup and configuration, release definition, deployment, migration, virtualization, terminal services, and security.